Friday, April 13, 2012

How to Activate TRIM on LUKS Encrypted Partitions in Ubuntu & Debian

This step by step walkthrough will let you take advantage of the TRIM technology for your encrypted SSD partitions for cryptsetup 1.4 or higher and kernel 3.1 or higher. This leads to a hassle-free SSD experience because

"TRIM enables the SSD to handle garbage collection overhead, that would otherwise significantly slow down future write operations to the involved blocks, in advance."

Example Setup

Notebook with SSD as the single drive, Linux installed in single ext4 LVM root partition with LVM swap partition, both over LUKS encrypted logical partition.

The last step is not enough though. As long as LUKS is not aware that you want to use TRIM it will effectively block all TRIM operations coming from the LVM partition's file system, for security reasons. Add discard parameter to the cryptdevice options in /etc/crypttab to make LUKS accept thediscardbehavior of the LVM partition.

sda5_crypt UUID=e364d03f-[...]6cd7e none luks,discard

Rebuild your initramfs. The crypttab options are stored there and used on boot.

sudo update-initramfs -c -k all

Reboot.

Check if TRIM is now active.

sudo dmsetup table /dev/mapper/sda5_crypt --showkeys

If the last command shows a result like this (1 allow_discards at the end) you're all set.

Thanks for the thanks. :) It's nice to see that this little post actually helped others.

@Rodney: you're absolutely right, this potentially decreases the security level. Which is why this probably may never be active by default.

@#8: you can add the trim support whenever, as long as you are running a setup with LVM over LUKS. As to what happens with data that is deleted "pre-trim": my guess is it's marked as deleted but not really deleted, which is why an encrypted drive without TRIM is actually more secure, because you don't get blocks with no data in between your encrypted data. Over time the SSD is filled up with such "marked as deleted" data which doesn't just get overwritten with new data though - slowing down writes.

As I said, this is just a guess. Corrections and pointers to other sources would be welcome.